b'TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n                 The Internal Revenue Service Deployed Two\n                  of Its Most Important Modernized Systems\n                      With Known Security Vulnerabilities\n\n\n\n                                      September 24, 2008\n\n                              Reference Number: 2008-20-163\n\n\n\n\n This report has cleared the Treasury Inspector General for Tax Administration disclosure review process\n  and information determined to be restricted from public release has been redacted from this document.\n\n\n Phone Number | 202-622-6500\n Email Address | inquiries@tigta.treas.gov\n Web Site      | http://www.tigta.gov\n\x0c                                                      DEPARTMENT OF THE TREASURY\n                                                          WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                                    September 24, 2008\n\n\n MEMORANDUM FOR COMMISSIONER, WAGE AND INVESTMENT DIVISION\n                CHIEF INFORMATION OFFICER\n\n FROM:                             Michael R. Phillips\n                                   Deputy Inspector General for Audit\n\n SUBJECT:                          Final Audit Report \xe2\x80\x93 The Internal Revenue Service Deployed Two of\n                                   Its Most Important Modernized Systems With Known Security\n                                   Vulnerabilities (Audit # 200720031)\n\n This report presents the results of our review to determine whether appropriate security controls\n have been implemented in the Customer Account Data Engine (CADE) and the Account\n Management Services (AMS) systems. This review was part of the Information Systems\n Programs business unit\xe2\x80\x99s statutory requirements to annually review the adequacy and security of\n Internal Revenue Service (IRS) information technology.\n\n Impact on the Taxpayer\n The CADE will provide the foundation for managing all taxpayer accounts and will replace\n existing tax processing systems. When we started our review, the AMS was being designed to\n interface with the CADE. The AMS will provide faster and improved access by employees to\n taxpayer account data. Security weaknesses in controls over sensitive data protection, system\n access, monitoring of system access, and disaster recovery have continued to exist even though\n key phases of the CADE and the AMS have been deployed. As a result, the IRS is jeopardizing\n the confidentiality, integrity, and availability of an increasing volume of tax information for\n millions of taxpayers as application releases1 are put into operation.\n\n\n\n\n 1\n     A release is a specific edition of software.\n\x0c                                   The Internal Revenue Service Deployed\n                                Two of Its Most Important Modernized Systems\n                                     With Known Security Vulnerabilities\n\n\n\nSynopsis\nThe IRS has established appropriate system development policies and procedures that require\nsecurity and privacy safeguards to be planned for and designed in the early phases of a system\xe2\x80\x99s\ndevelopment life. To ensure that projects progress satisfactorily toward implementation of all\nsecurity and privacy requirements, the IRS implemented various evaluations that developmental\nprojects must undergo prior to exiting the different milestones.2 In addition, the IRS annually\nupdates the security and privacy control requirements that all new and existing information\nsystems must address to comply with current Federal Government-wide guidance. For new\nsystems such as the CADE and the AMS, the goals of these requirements and evaluations are to\nensure that 1) security has been considered and built into systems, and 2) no system is deployed\nwith significant security vulnerabilities.\nDespite these requirements, our review of available test documents provided by the IRS showed\nthat both the CADE and the AMS were deployed with known security vulnerabilities relating to\nthe protection of sensitive data, system access, monitoring of system access, and disaster\nrecovery. These vulnerabilities increase the risks that 1) an unscrupulous person, with little\nchance of detection, could gain unauthorized access to the vast amount of taxpayer information\nthe IRS processes, and 2) the systems could not be recovered effectively and efficiently during\nan emergency.\nWe believe that the IRS\xe2\x80\x99 processes for ensuring that security controls are implemented before\nsystems are deployed failed because key organizations did not consider the known security\nvulnerabilities to be significant,3 which affected vulnerability resolution and system deployment\ndecisions. Specifically, the CADE and AMS project offices did not prevent and resolve known\nsecurity vulnerabilities before deployment of the systems. The Customer Service Executive\nSteering Committee,4 which has final milestone exit approval, 1) did not provide sufficient\noversight to ensure that security controls were implemented, and 2) signed off unconditionally on\nCADE milestones despite the existence of weaknesses repeatedly reported to the Committee.\nFinally, the Cybersecurity organization recommended\xe2\x80\x93and the system owners accepted\xe2\x80\x93the risks\n\n\n2\n  Milestones provide for \xe2\x80\x9cgo/no-go\xe2\x80\x9d decision points in a project and are sometimes associated with funding approval\nto proceed.\n3\n  We believe these security vulnerabilities to be significant because they affect the systems\xe2\x80\x99 abilities to 1) restrict\naccess to only those individuals with a business need, 2) monitor activities for questionable transactions, 3) protect\ndata from unauthorized disclosure, and 4) ensure continued operation of the systems. We also believe that the\nsignificance of these security vulnerabilities is heightened because the CADE and the AMS are critical modernized\nsystems that will affect the future success of the IRS\xe2\x80\x99 computing environment. In addition, the National Institute of\nStandards and Technology specifies a minimum baseline of security controls that all Federal Government systems\nmust address to ensure compliance with Federal security standards.\n4\n  The charter for this Committee shows that its primary objective is to ensure that project objectives are met, risks\nare managed appropriately, and the expenditure of enterprise resources is fiscally sound.\n                                                                                                                     2\n\x0c                                 The Internal Revenue Service Deployed\n                              Two of Its Most Important Modernized Systems\n                                   With Known Security Vulnerabilities\n\n\n\nassociated with these vulnerabilities by accrediting5 the systems. We disagree with the system\nowners\xe2\x80\x99 acceptance of what we consider excessive risks for these security vulnerabilities,\nparticularly the inabilities to successfully recover the systems and their data in the event of a\ndisaster and to detect malicious security events and unauthorized accesses to taxpayer data.\nSince 1997, the IRS has designated computer security as a material weakness.6 In addition, the\nIRS continues to struggle with addressing security vulnerabilities on its modernized systems.\nWe identified some of these same vulnerabilities in prior audit reports on the CADE and other\nmodernization projects. The IRS agreed with most of our findings and responded that it would\nensure that security control requirements were planned for early in the Enterprise Life Cycle7\nprocess, and it was committed to addressing its deficiencies in modernized systems. Until\nsecurity control vulnerabilities are corrected, the IRS is jeopardizing the confidentiality,\nintegrity, and availability of the massive volume of taxpayer data processed and stored by the\nCADE and the AMS.\n\nRecommendations\nWe recommended that the Director, Business Modernization Office, and the Director, Customer\nService, as the Co-Chairs of the Customer Service Executive Steering Committee, consider all\nsecurity vulnerabilities\xe2\x80\x93including those associated with general support systems\xe2\x80\x93that affect the\noverall security of the CADE and the AMS before approving unconditional milestone exits. The\nCADE and AMS Project Managers should provide more emphasis on preventing and resolving\nsecurity vulnerabilities identified during Enterprise Life Cycle processes.\nThe Wage and Investment Division Directors of the CADE and the AMS, in their roles as system\nowners, should approve interim authorities to operate when significant security control\nweaknesses exist in system environments. These interim authorities to operate should contain\nspecific terms and conditions in accordance with IRS policy. The Associate Chief Information\nOfficer, Cybersecurity, should 1) recommend interim authorities to operate when significant\n\n\n5\n  Accreditation is the official management decision given by the owner of an information system to authorize the\noperation of the system and to explicitly accept the risks.\n6\n  The Federal Managers\xe2\x80\x99 Financial Integrity Act of 1982 (31 U.S.C. \xc2\xa7\xc2\xa7 1105, 1113, 3512 (2000)) requires that each\nFederal Government agency conduct annual evaluations of its systems of internal accounting and administrative\ncontrol and submit an annual statement on the status of the agency\xe2\x80\x99s system of management controls. As part of the\nevaluations, agency managers identify control areas that can be considered material weaknesses. The Department of\nthe Treasury has defined a material weakness as, \xe2\x80\x9cshortcomings in operations or systems which, among other things,\nseverely impair or threaten the organization\xe2\x80\x99s ability to accomplish its mission or to prepare timely, accurate\nfinancial statements or reports.\xe2\x80\x9d Material weaknesses are reported outside the agency and thus receive additional\noversight.\n7\n  A structured business systems development method that requires the preparation of specific work products during\ndifferent phases of the development process.\n                                                                                                                3\n\x0c                             The Internal Revenue Service Deployed\n                          Two of Its Most Important Modernized Systems\n                               With Known Security Vulnerabilities\n\n\n\nsecurity vulnerabilities exist in system environments, and 2) continue efforts to improve the\naccuracy and completeness of risk information in the security assessment reports by listing the\ngeneral support system controls that are not yet implemented in the system environment and\ndocumenting concurrence by appropriate offices when reporting that vulnerabilities identified\nduring milestone reviews have been corrected.\n\nResponse\nThe IRS agreed with our recommendations. It will continue to follow the governance process\ndocumented in the Customer Service Executive Steering Committee charter and consider all\nsecurity vulnerabilities to ensure that best practices are in place for the successful delivery of\nproject security and functionality. The IRS will continue to follow the existing Enterprise Life\nCycle processes for identifying, confirming, and resolving security vulnerabilities at the\nrequirements, design, development, and testing life cycle stages, with an increased emphasis in\nboth preventing and resolving security vulnerabilities identified during the Enterprise Life Cycle\nprocesses. It will also strengthen its process for capturing and documenting all Executive\nSteering Committee meeting minutes.\nThe IRS will continue to follow existing policy to issue interim authorities to operate with\nappropriate timelines when significant control weaknesses exist in system environments. The\nCybersecurity organization has modified the certification and accreditation process to include\ndocumented concurrence by the Information Technology Security Architecture and Engineering\nOffice and/or the Office of Privacy, Information Protection, and Data Security when reporting in\nsecurity assessment reports that vulnerabilities identified during milestone reviews have been\ncorrected. Management\xe2\x80\x99s complete response to the draft report is included as Appendix IV.\n\nOffice of Audit Comment\nAlthough the IRS agreed with all of our recommendations, the related corrective actions for the\nfirst four recommendations are focused on continuing to follow existing processes or\nstrengthening current processes. As stated in the report, we believe that the existing security\nvulnerabilities were not caused by process deficiencies. Instead, IRS offices did not carry out\ntheir responsibilities for ensuring that security weaknesses were corrected before deployment.\nCopies of this report are also being sent to the IRS managers affected by the report\nrecommendations. Please contact me at (202) 622-6510 if you have questions or\nMargaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs), at\n(202) 622-8510.\n\n\n\n\n                                                                                                  4\n\x0c                                       The Internal Revenue Service Deployed\n                                    Two of Its Most Important Modernized Systems\n                                         With Known Security Vulnerabilities\n\n\n\n\n                                            Table of Contents\n\nBackground ..........................................................................................................Page 1\n\nResults of Review ...............................................................................................Page 4\n          Internal Revenue Service Organizations and Oversight Groups\n          Did Not Consider Known Security Vulnerabilities to Be\n          Significant Enough to Either Resolve the Vulnerabilities or\n          Deploy the Systems With Conditional Restrictions......................................Page 4\n                    Recommendation 1:........................................................Page 13\n\n                    Recommendations 2 through 5:.........................................Page 14\n\n\nAppendices\n          Appendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology ........................Page 16\n          Appendix II \xe2\x80\x93 Major Contributors to This Report ........................................Page 17\n          Appendix III \xe2\x80\x93 Report Distribution List .......................................................Page 18\n          Appendix IV \xe2\x80\x93 Management\xe2\x80\x99s Response to the Draft Report ......................Page 19\n\x0c          The Internal Revenue Service Deployed\n       Two of Its Most Important Modernized Systems\n            With Known Security Vulnerabilities\n\n\n\n\n                Abbreviations\n\nAMS      Account Management Services\nCADE     Customer Account Data Engine\nIRS      Internal Revenue Service\nNIST     National Institute of Standards and Technology\nPII      Personally identifiable information\n\x0c                                 The Internal Revenue Service Deployed\n                              Two of Its Most Important Modernized Systems\n                                   With Known Security Vulnerabilities\n\n\n\n\n                                            Background\n\nThe Internal Revenue Service (IRS) stores sensitive financial and personal information for more\nthan 130 million individual taxpayers who file annual Federal income tax returns. Each tax\nreturn contains personally identifiable information (PII), such as the filer\xe2\x80\x99s name, address, and\nSocial Security Number. Because of the volume of data it maintains, the IRS is an attractive\ntarget for criminals intent on committing identity theft by stealing and using someone else\xe2\x80\x99s\nidentity for their own financial gain. To address public concern about the proper storage of\ntaxpayer data, the IRS is subject to certain security restrictions and requirements.\nLike all Federal Government agencies, the IRS should protect its computer systems by\nimplementing appropriate security controls to ensure the confidentiality, integrity, and\navailability of sensitive data, as recommended in National Institute of Standards and\nTechnology (NIST)1 Special Publication 800-53.2 NIST Special Publication 800-53 specifies the\nminimum baseline of security controls that all Federal Government information systems must\naddress, based on each system\xe2\x80\x99s security categorization level of high, moderate, or low. These\nsecurity controls include system access, audit logging, and contingency planning.\nIn addition, the IRS is specifically required by Federal law to keep taxpayer data confidential and\nto prevent unauthorized disclosure or browsing of taxpayer records. Section 6103 of the Internal\nRevenue Code3 prohibits the disclosure of tax returns and tax return information and requires that\nthe storage of such information be secure and the access restricted to only those persons whose\nduties and responsibilities require access. The Taxpayer Browsing Protection Act of 19974 also\nprovides criminal penalties and civil remedies to help ensure that tax returns and tax return\ninformation remain confidential. These requirements apply to all IRS computer systems that\nmaintain sensitive data. For the IRS, two of its most important modernized systems are the\nCustomer Account Data Engine (CADE) and the Account Management Services (AMS).\nThe CADE will provide the foundation for managing taxpayer accounts to achieve the IRS\nmodernization vision. It consists of databases and related applications that will replace the IRS\xe2\x80\x99\nexisting Master File5 processing system, which is the current primary repository of taxpayer\n\n\n1\n  The NIST, under the Department of Commerce, is responsible for developing standards and guidelines, including\nminimum requirements, for providing adequate information security for all Federal Government agency operations\nand assets.\n2\n  Recommended Security Controls for Federal Information Systems, Revision 1, published December 2006.\n3\n  26 U.S.C. Section (\xc2\xa7) 6103.\n4\n  26 U.S.C.A. \xc2\xa7\xc2\xa7 7213, 7213A, 7431 (West 2006).\n5\n  The IRS database that stores various types of taxpayer account information. This database includes individual,\nbusiness, and employee plans and exempt organizations data.\n                                                                                                          Page 1\n\x0c                                  The Internal Revenue Service Deployed\n                               Two of Its Most Important Modernized Systems\n                                    With Known Security Vulnerabilities\n\n\n\ninformation. Initiated in September 1999, the CADE project had cost more than $490 million as\nof June 2007 and is scheduled to cost more than $1 billion to develop, operate, and maintain\nthrough Calendar Year 2012. The CADE is being incrementally developed over multiple\nreleases6 and will deploy two releases per year\xe2\x80\x93a midyear release to cover new functionalities\nand a year-end release to cover tax law changes and maintenance.\nIn July 2004, the first release of the CADE began processing the simplest Income Tax Returns\nfor Single and Joint Filers With No Dependents (Form 1040EZ). The second and third releases\nof the CADE added increased functionality, and future releases are scheduled to provide\nadditional functionalities so that the CADE can eventually house the account information of\nmore than 200 million individual and business taxpayers. From January 1 to April 22, 2008, the\nCADE posted 28.1 million tax returns (19.8 percent of the total 141.8 million filed) and issued\n26.8 million refunds (28.8 percent of the total 93.2 million issued) totaling more than\n$41.7 billion (18.3 percent of the total $228.2 billion refunded). These results significantly\nsurpass the 11.2 million returns posted by the CADE for all of Calendar Year 2007. In addition,\nthe CADE was able to support timely issuance of payments to millions of taxpayers mandated by\nthe Economic Stimulus Act of 20087 beginning after the height of the filing season8 and with\nlimited lead time for preparation.\nThe IRS is also developing the AMS system. When we started our review, the AMS was being\ndesigned to interface with the CADE, much like the Integrated Data Retrieval System9 currently\ndoes with the Master File. During our review, the scope of the AMS was changed. The AMS\nwill provide faster and improved access by employees to taxpayer account data, which will\nminimize taxpayer interaction and provide more timely responses to and resolution of taxpayer\ninquiries. Initiated in August 2006, the AMS project is scheduled to cost more than $700 million\nto develop, operate, and maintain through Calendar Year 2024. The first release of the AMS,\ndeployed in October 2007, was limited to achieving address changes in the CADE environment.\nAs of January 2008, 1,000 of 120,000 address change requests could be completed in the CADE\nenvironment in real time, while the others were changed in the Master File.\nThis review was performed at the office of the Chief Information Officer in\nNew Carrollton, Maryland, during the period September 2007 through April 2008. We\nconducted this performance audit in accordance with generally accepted government auditing\nstandards. Those standards require that we plan and perform the audit to obtain sufficient,\nappropriate evidence to provide a reasonable basis for our findings and conclusions based on our\naudit objective. We believe that the evidence obtained provides a reasonable basis for our\n\n\n6\n  A release is a specific edition of software.\n7\n  Pub. L. No. 110-185, 122 Stat. 613.\n8\n  The period from January through mid-April when most individual income tax returns are filed.\n9\n  IRS computer system capable of retrieving or updating stored information. It works in conjunction with a\ntaxpayer\xe2\x80\x99s account records.\n                                                                                                             Page 2\n\x0c                             The Internal Revenue Service Deployed\n                          Two of Its Most Important Modernized Systems\n                               With Known Security Vulnerabilities\n\n\n\nfinding and conclusions based on our audit objective. Detailed information on our audit\nobjective, scope, and methodology is presented in Appendix I. Major contributors to the report\nare listed in Appendix II.\n\n\n\n\n                                                                                         Page 3\n\x0c                                  The Internal Revenue Service Deployed\n                               Two of Its Most Important Modernized Systems\n                                    With Known Security Vulnerabilities\n\n\n\n\n                                      Results of Review\n\nInternal Revenue Service Organizations and Oversight Groups Did\nNot Consider Known Security Vulnerabilities to Be Significant Enough\nto Either Resolve the Vulnerabilities or Deploy the Systems With\nConditional Restrictions\nThe IRS has established appropriate system development policies and procedures that require\nsecurity and privacy safeguards to be planned for and designed in the early phases of a system\xe2\x80\x99s\ndevelopment life cycle, called the Enterprise Life Cycle10 at the IRS. To ensure that projects\nprogress satisfactorily toward implementation of all security and privacy requirements, the IRS\nimplemented various evaluations that developmental projects must undergo prior to exiting the\ndifferent milestones11 of the Enterprise Life Cycle. These evaluations include milestone reviews\nperformed by the Office of Privacy, Information Protection, and Data Security (the Office of\nPrivacy), the Information Technology Security Architecture and Engineering Office (the\nSecurity Engineering Office), and the Cybersecurity organization. In addition, the IRS annually\nupdates the security and privacy control requirements that all new and existing information\nsystems must address to comply with current NIST guidance. For new systems, the goals of\nthese requirements and evaluations are to ensure that 1) security has been considered and built\ninto systems, and 2) no system is deployed with significant security vulnerabilities.\nDespite these requirements, our review of available test documents provided by the IRS showed\nthat both the CADE and the AMS were deployed with known security vulnerabilities. The\nfollowing security control vulnerabilities were identified by the Office of Privacy, the Security\nEngineering Office, and the Cybersecurity organization during testing of CADE Release 2.2,\nwhich was deployed in January 2007, and Release 3.1, which was deployed in August 2007:\n     \xe2\x80\xa2   Security events and unauthorized access to taxpayer accounts by privileged CADE\n         users were not captured. Privileged users, such as system administrators, have the\n         ability to access, modify, and delete information on a computer system. This security\n         weakness means that any activities by a privileged user, such as illegal browsing,\n         changes, or theft of taxpayer data, might go undetected.\n\n\n\n10\n   A structured business systems development method that requires preparation of specific work products during\ndifferent phases of the development process.\n11\n   Provide for \xe2\x80\x9cgo/no-go\xe2\x80\x9d decision points in a project and are sometimes associated with funding approval to\nproceed.\n                                                                                                          Page 4\n\x0c                          The Internal Revenue Service Deployed\n                       Two of Its Most Important Modernized Systems\n                            With Known Security Vulnerabilities\n\n\n\n\xe2\x80\xa2   Contractors could make changes to system configuration settings without notice,\n    approval, or security checks. Lack of configuration management restrictions increases\n    the likelihood that an unauthorized user could gain access to the CADE and alter\n    configuration settings to improperly manipulate taxpayer data.\n\xe2\x80\xa2   The CADE Disaster Recovery Plan and the Information Technology Contingency Plan\n    had not been sufficiently tested. Weaknesses in contingency planning and disaster\n    recovery activities might hinder efforts to recover the CADE and its data in the event of a\n    disaster.\n\xe2\x80\xa2   Backup tapes from the offsite storage facility were not tested at the original site or\n    alternative site. Backup tapes should be tested regularly to ensure that data are being\n    stored correctly and that files can be restored without errors or lost data.\n\xe2\x80\xa2   Interconnection Security Agreements were not in place or did not contain complete\n    and current interface information. Failure to agree on the security and use of\n    interconnection data among Federal Government agencies might compromise the\n    confidentiality, accuracy, validity, and availability of CADE data.\n\xe2\x80\xa2   The CADE did not have the ability to identify and process all error codes. Receipt of\n    too many error codes at one time could overwhelm the CADE and bring the system to a\n    halt.\n\xe2\x80\xa2   The CADE development staff did not test security features before releasing the\n    application code. If required security testing is not performed before the release of new\n    updates to the CADE, any flaws in the application code could go undetected and threaten\n    the confidentiality, availability, and integrity of the system data.\n\xe2\x80\xa2   Vulnerability scans of the mainframe computer on which the CADE resides identified\n    one high-risk failure and several configurations that were not sufficient for protecting\n    taxpayer data. These vulnerabilities were not corrected. Allowing these vulnerabilities\n    to remain on the mainframe computer exposes the CADE to unnecessary risks.\n\xe2\x80\xa2   The CADE did not employ an application-specific vulnerability scanning tool. If\n    vulnerability scanning is not performed at the application level, known vulnerabilities\n    might go undetected and expose the application to unnecessary risk for the\n    confidentiality, availability, and integrity of the system data.\n\xe2\x80\xa2   The system did not automatically terminate a session after 15 minutes of inactivity. An\n    insufficient timeout mechanism allows a user to remain logged into a system for extended\n    periods without re-authenticating his or her session, particularly if the user walks away\n    from the computer without locking it. This situation increases the risk of an unauthorized\n    user gaining undetected access to the application.\n\n\n                                                                                        Page 5\n\x0c                                The Internal Revenue Service Deployed\n                             Two of Its Most Important Modernized Systems\n                                  With Known Security Vulnerabilities\n\n\n\n     \xe2\x80\xa2   Malicious code protection was not implemented. The CADE might be vulnerable to\n         malicious code attacks, such as computer viruses.\n     \xe2\x80\xa2   PII data were transmitted in clear text within Computing Centers.12 Failure to protect\n         the integrity of transmitted information could allow unauthorized viewing of information\n         and exposes the IRS to unnecessary risks.\n     \xe2\x80\xa2   CADE PII data backed up on tapes, disks, and compact discs, and data shared with\n         external agencies, were not encrypted. Failure to protect the integrity of stored or shared\n         information could allow unauthorized access to the information and exposes the IRS to\n         unnecessary risks.\n     \xe2\x80\xa2   Unauthorized access to PII could occur in mainframe computer memory, disk space,\n         and tapes because the data were not removed before the media were reused. Failure to\n         properly remove taxpayer data from system memory devices before reuse increases the\n         risk of unauthorized access to PII.\n     \xe2\x80\xa2   The CADE did not have adequate controls to ensure that only a minimal amount of PII\n         required for the particular CADE release was collected, stored, transferred, and\n         processed. The CADE was not complying with Federal privacy laws13 that require\n         computer systems to collect no more information with respect to taxpayers and IRS\n         employees than is necessary and relevant for tax administration and other legally\n         mandated or authorized purposes.\n     \xe2\x80\xa2   The CADE was using live data in more than 18 test environments for application\n         development testing, but the system owner did not properly describe how the CADE will\n         acquire, use, and dispose of the live data. As a result, the risk of improper disclosure of\n         PII was increased.\nThe following security control vulnerabilities were identified by the Security Engineering Office\nand the Cybersecurity organization during testing of AMS Release 1.1, which was deployed in\nOctober 2007:\n     \xe2\x80\xa2   Auditing controls were not sufficient to identify security-related events and\n         unauthorized access to taxpayer information. Activities such as illegal browsing,\n         changes, or theft of taxpayer files might go undetected.\n     \xe2\x80\xa2   Procedures were not implemented for disabling inactive accounts. Persons no longer\n         needing access to carry out responsibilities and persons with a malicious intent could use\n         the accounts to gain unauthorized access to the system.\n\n12\n   IRS Computing Centers support tax processing and information management through a data processing and\ntelecommunications infrastructure.\n13\n   Privacy Act of 1974, 5 U.S.C. \xc2\xa7 552a (2000).\n                                                                                                       Page 6\n\x0c                                   The Internal Revenue Service Deployed\n                                Two of Its Most Important Modernized Systems\n                                     With Known Security Vulnerabilities\n\n\n\n     \xe2\x80\xa2   The system did not automatically terminate a session after 15 minutes of inactivity. An\n         insufficient timeout mechanism allows a user to remain logged into a system for extended\n         periods without re-authenticating his or her session, particularly if the user walks away\n         from the computer without locking it. This situation increases the risk that an\n         unauthorized user might gain undetected access to the application.\n     \xe2\x80\xa2   No alternate processing site had been established for the AMS. In the event of an\n         area-wide disruption or disaster, availability of the AMS could be affected.\n     \xe2\x80\xa2   The application error log contained Taxpayer Identification Numbers, risking\n         accidental or intentional disclosure. Capturing Taxpayer Identification Numbers in an\n         error log unnecessarily exposes the data to accidental or intentional disclosure, which\n         might result in identity theft and other unlawful use of the data.\n     \xe2\x80\xa2   The operating system hosting the AMS was determined to have only a 77.8 percent\n         compliance rate with required security settings, including 5 high-risk failures.\n         Noncompliant configurations could leave the infrastructure as well as the application\n         open to known and unknown security threats that could affect the confidentiality,\n         integrity, and availability of the application and the PII it processes and stores.\nMissing security controls in the CADE and the AMS relate mainly to the protection of sensitive\ndata, system access, audit logging,14 and disaster recovery. These security weaknesses increase\nthe risks that 1) an unscrupulous person, with little chance of detection, could gain unauthorized\naccess to the vast amount of taxpayer information the IRS processes, and 2) the systems could\nnot be recovered effectively and efficiently during an emergency. Until security control\nvulnerabilities are corrected, the IRS is jeopardizing the confidentiality, integrity, and availability\nof the massive volume of taxpayer data processed and stored by the CADE and the AMS.\nManagement Action: Subsequent to our audit fieldwork, the IRS advised us that 11 of the\n22 security vulnerabilities mentioned previously had been either corrected during subsequent\nreleases or determined not to be vulnerabilities after deployment, and actions were being taken to\naddress the remaining 11 security vulnerabilities. We plan to perform a followup review to\nevaluate the effectiveness of the IRS\xe2\x80\x99 corrective actions.\n\n\n\n\n14\n   An audit log is a chronological record of activities that allow for the reconstruction, review, and examination of a\ntransaction from inception to final results. Audit logs can be used to detect unauthorized accesses to computer\nnetworks.\n                                                                                                                Page 7\n\x0c                                  The Internal Revenue Service Deployed\n                               Two of Its Most Important Modernized Systems\n                                    With Known Security Vulnerabilities\n\n\n\nWe believe these security vulnerabilities to be significant because they affect the systems\xe2\x80\x99\nabilities to 1) restrict access to only those individuals with a business need, 2) monitor activities\nfor questionable transactions, 3) protect data from unauthorized disclosure, and 4) ensure\ncontinued operation of the systems. We also believe that the significance of these security\nvulnerabilities is heightened because the CADE and the AMS are critical modernized systems\nthat will affect the future success of the IRS\xe2\x80\x99 computing environment. In addition, the NIST\nspecifies a minimum baseline of security controls that all Federal Government systems must\naddress to ensure compliance with Federal security standards.\nWe identified two areas of concern regarding why these systems were deployed with significant\nsecurity vulnerabilities. Specifically:\n     \xc2\xbe The CADE and AMS project offices did not ensure that the security vulnerabilities were\n       adequately prevented and resolved once they were identified, and the Customer Service\n       Executive Steering Committee15 approved milestone exits without giving adequate\n       consideration to what we view as significant security vulnerabilities on the systems.\n     \xc2\xbe The Cybersecurity organization recommended\xe2\x80\x93and the CADE and the AMS system\n       owners approved\xe2\x80\x93that the systems be fully accredited16 without giving adequate\n       consideration to what we view as significant security vulnerabilities on the systems.\n\nPrevention and resolution of security vulnerabilities were not given adequate\nconsideration prior to deployment of the systems\nNIST Special Publication 800-53 specifies the recommended security controls for all Federal\nGovernment information systems. The IRS mandated that any business unit developing an\ninformation system must ensure that the system project office for the development effort has\nadequate security engineering expertise to properly address the planning and implementation of\nthe minimum security controls required for protection of the data residing on its systems.\nBecause of the criticality of both the CADE and the AMS, the IRS established specific project\noffices for both systems. The project offices should ensure that security controls have been\nimplemented and security vulnerabilities have been mitigated or resolved during the Enterprise\nLife Cycle and prior to deployment.\nThroughout the Enterprise Life Cycle, the Customer Service Executive Steering Committee is\nresponsible for final exit approval at each milestone. This Committee consists of 14 IRS\nexecutives from the Wage and Investment Division and the Modernization and Information\n\n\n15\n   The charter for the Customer Service Executive Steering Committee shows that its primary objective is to ensure\nthat project objectives are met, risks are managed appropriately, and the expenditure of enterprise resources is\nfiscally sound.\n16\n   Accreditation is the official management decision given by the owner of an information system to authorize the\noperation of the system and to explicitly accept the risks.\n                                                                                                           Page 8\n\x0c                                 The Internal Revenue Service Deployed\n                              Two of Its Most Important Modernized Systems\n                                   With Known Security Vulnerabilities\n\n\n\nTechnology Services organization. It is co-chaired by an executive from this Division and\norganization. Governance by the Customer Service Executive Steering Committee includes\n1) ensuring that projects adhere to accepted principles and practices of the Enterprise Life Cycle,\nand 2) resolving enterprise-wide issues for its projects, such as the CADE and the AMS.\nThe decision to approve a milestone exit is based on the recommendation from the Enterprise\nLife Cycle Program Management Office, which conducts milestone readiness reviews. When\nsignificant security or privacy concerns exist, a conditional milestone exit may be recommended.\nThis type of exit generally requires that the condition be corrected prior to the next milestone\nexit. Otherwise, the Customer Service Executive Steering Committee will give an unconditional\nexit approval, and the system development proceeds to the next milestone effort.\nDespite these requirements and key milestone decision points, we found that most of the security\nvulnerabilities discussed previously were identified repeatedly during CADE milestone reviews\nand were not corrected. Rather, they were carried over from milestone to milestone and even\nfrom release to release. The continued existence of these security vulnerabilities indicates that\nsecurity controls were not sufficiently considered by the project office and built into the systems\nduring the Development Phase of later releases.\nIn addition to not building in security controls during the Development Phase, the CADE project\noffice did not resolve the security vulnerabilities previously discussed and, as a result, the CADE\nwas deployed with these vulnerabilities. Seven of the 16 CADE security vulnerabilities were\nattributable to the project office and should have been addressed by the project office. The other\nnine CADE security vulnerabilities related to general support systems17 or enterprise-wide\ndeficiencies. The project office advised us that it was not responsible for addressing these\nsecurity control weaknesses because the weaknesses were beyond its system boundaries and\nauthority to address, and the project office assumed that the owners of the nine general support\nsystems on which the CADE relies were responsible for implementing many of its required\nsecurity and privacy controls.\nOf the six security vulnerabilities on the AMS, the project office was responsible for two, which\nit should have addressed. The other four security vulnerabilities were related to general support\nsystems or enterprise-wide deficiencies.\n\n\n\n\n17\n  A general support system is an interconnected set of information resources under the same direct management\ncontrol that shares common functionality and normally includes hardware, software, data, applications,\ncommunications, and people.\n                                                                                                         Page 9\n\x0c                                   The Internal Revenue Service Deployed\n                                Two of Its Most Important Modernized Systems\n                                     With Known Security Vulnerabilities\n\n\n\nNIST Special Publication 800-18, Revision 1,18 specifies that if a system is defined as a major\napplication,19 such as the CADE and the AMS, and the application is run on a general support\nsystem, the major application owner is responsible for acceptance of risk and must ensure that\nthe system security plan of the general support system provides adequate protection for the\napplication and its data. In addition, more recent NIST draft guidance specifies that if the\ngeneral support system or common controls do not provide the security controls required by the\nindividual information system, the project office should take appropriate actions to supplement\nthose controls as required for any protection deficits that result at the system level.\nRegardless of who was responsible for implementing the various security controls, we believe\nthat the Customer Service Executive Steering Committee was in the best position to ensure that\nall significant security vulnerabilities were resolved or mitigated prior to deployment.\nUnfortunately, for the security vulnerabilities mentioned previously, the Customer Service\nExecutive Steering Committee did not 1) provide sufficient oversight to ensure that security\ncontrols were implemented, and 2) did not consider the security vulnerabilities significant\nenough to place conditional restrictions on the release or delay the systems\xe2\x80\x99 releases all together.\nAs a result, it signed off unconditionally on CADE milestones despite the existence of repeatedly\nreported security weaknesses.\nOf the security vulnerabilities discussed previously, we are most concerned about the lack of\naudit logs and disaster recovery capabilities in modernized systems. It might be understandable\nthat older legacy systems cannot log transactions or comply with other current security and\nprivacy requirements, such as disaster recovery capabilities, due to older computer equipment.\nHowever, the IRS should ensure that these requirements are included in modernized systems.\nAccording to the NIST,20 any effort to install logging capabilities or other security controls after\ndeployment of a system will likely cost significantly more than if the security capabilities had\nbeen successfully designed into the system during the system Development Phase.\nWe believe that the lack of attention to security controls during the Development Phase can be\ntraced to other business requirements, filing season pressures, and deployment demands. These\nconcerns have taken precedence over security concerns, and executive-level management was\nnot adequately engaged in security needs and requirements. Consequently, the CADE reached\nrollout dates without security controls, and accreditation officials were put in the position of\nimplementing a critical system with significant security flaws rather than delaying the\ndeployment.\n\n\n18\n   Guide for Developing Security Plans for Federal Information Systems, published February 2006.\n19\n   An application is the use of information resources (information and information technology) to satisfy a specific\nset of user requirements. A major application contains, processes, stores, or transmits information critical to the\nagency\xe2\x80\x99s mission.\n20\n   Security Considerations in the Information System Development Life Cycle (NIST Special Publication 800-64\nRevision 1, published June 2004).\n                                                                                                            Page 10\n\x0c                                 The Internal Revenue Service Deployed\n                              Two of Its Most Important Modernized Systems\n                                   With Known Security Vulnerabilities\n\n\n\nThe IRS continues to struggle with addressing security vulnerabilities on its modernized systems.\nWe identified some of these same vulnerabilities in prior audit reports on the CADE and other\nmodernization projects. Specifically, in 2005 we reported that the IRS was not adequately\nconsidering security controls early enough in the Development Phase of a system.21 We\nidentified several inadequate security controls that should have been addressed in the\nDevelopment Phase, including security configurations, audit logs, and disaster recovery plans.\nIn 2004 and 2006, we reported that audit logs for IRS modernized systems were not\nfunctioning.22 The IRS agreed with most of our findings and responded that it would ensure that\nsecurity control requirements were planned for early in the Enterprise Life Cycle process, and it\nwas committed to addressing its deficiencies in audit logging on modernized systems.\n\nThe systems were accredited despite the existence of several known security\nvulnerabilities\nThe last step of the developmental process and the most critical key decision point prior to\ndeployment of a system is the accreditation by the system owner. In making the decision to\naccredit information systems, the system owner essentially accepts the risk of the system and\napproves the deployment and operation of the system. The system owner can give the system an\nauthority to operate, give an interim authority to operate for a period of time until significant\ndeficiencies are corrected, or prevent the system from deploying. The system owner bases his or\nher accreditation decisions on several certification documents.\nDuring the certification process, the Cybersecurity organization develops the test plan based on\nthe system security plan, performs the testing of application-specific security controls, and\nprovides the results in the security assessment report. The Cybersecurity organization also issues\na certification memorandum that provides a summary of the certification results and a\nrecommendation for the system owner to grant the authority to operate, grant interim authority to\noperate, or deny authority to operate.\nDespite the presence of what we believe were significant unresolved security vulnerabilities on\nthe systems, the system owners did not consider the security vulnerabilities to be significant\nenough to either give an interim authority to operate or delay deployment, and they gave\nauthorities to operate for the CADE and the AMS. We disagree with the system owners\xe2\x80\x99\nacceptance of what we consider excessive risks for these security vulnerabilities, particularly the\ninabilities to successfully recover the systems and their data in the event of a disaster and to\ndetect malicious security events and unauthorized accesses to taxpayer data. The current\n\n\n21\n   Security Controls Were Not Adequately Considered in the Development and Integration Phases of Modernization\nSystems (Reference Number 2005-20-128, dated August 2005).\n22\n   The Audit Trail System for Detecting Improper Activities on Modernized Systems Is Not Functioning (Reference\nNumber 2004-20-135, dated August 2004) and Improvements Are Needed to Ensure the Use of Modernization\nApplications Is Effectively Audited (Reference Number 2006-20-177, dated September 29, 2006).\n                                                                                                      Page 11\n\x0c                                 The Internal Revenue Service Deployed\n                              Two of Its Most Important Modernized Systems\n                                   With Known Security Vulnerabilities\n\n\n\ncyber-threat environment in the Federal Government dictates the need for any significant system\nto have these capabilities.\nWe believe that the CADE and the AMS should have been given interim authorities to operate\ndue to what we view as significant security vulnerabilities present on the systems. Further, the\nCADE should not be approved to operate if the significant security vulnerabilities require\nextended remediation time. In making the accreditation, the CADE system owner considered\nonly those controls for which the owner was directly responsible. However, the decision to\naccredit should not be made in isolation and should be made with regard to agency-wide\nbusiness process considerations and the interconnections with other systems, such as the general\nsupport systems.\nWe also disagree with the CADE and the AMS certification memoranda issued by the Associate\nChief Information Officer, Cybersecurity, which recommended that the system owners grant an\nauthority to operate. While the certification memoranda mentioned the existence of security\nvulnerabilities on the systems, the memorandum for the earlier CADE Release 2.2 stated, \xe2\x80\x9cWith\nyour commitment to develop a plan to address and ultimately resolve all identified risks for the\nCADE application timely, I am recommending you grant an Authorization to Operate for the\nCADE application.\xe2\x80\x9d The later CADE Release 3.1 had most of the same security vulnerabilities.\nWe believe that the system owners relied heavily on the Cybersecurity organization\xe2\x80\x99s\nrecommendation as well as the Customer Service Executive Steering Committee\xe2\x80\x99s exit approvals\nduring the Enterprise Life Cycle.\nThe recommendations in the certification memoranda are based on security assessment reports.\nHowever, we found that the security assessment reports provided only summary-level security\nvulnerability information for general support systems and contained incomplete and erroneous\nsecurity control implementation status. As a result, the system owners might not have known the\nfull extent of the risks they were accepting when authorizing the CADE and the AMS to operate.\nIn addition, since 1997, the IRS has designated computer security as a material weakness,23\nwhich the IRS has segregated into nine separate vulnerability areas: 1) network access controls;\n2) key computer applications and system access controls; 3) software configuration; 4) functional\nbusiness, operating, and program units security roles and responsibilities; 5) segregation of duties\nbetween system and security administrators; 6) contingency planning and disaster recovery;\n\n\n23\n   The Federal Managers\xe2\x80\x99 Financial Integrity Act of 1982 (31 U.S.C. \xc2\xa7\xc2\xa7 1105, 1113, 3512 (2000)) requires that each\nFederal Government agency conduct annual evaluations of its systems of internal accounting and administrative\ncontrol and submit an annual statement on the status of the agency\xe2\x80\x99s system of management controls. As part of the\nevaluations, agency managers identify control areas that can be considered material weaknesses. The Department of\nthe Treasury has defined a material weakness as, \xe2\x80\x9cshortcomings in operations or systems which, among other things,\nseverely impair or threaten the organization\xe2\x80\x99s ability to accomplish its mission or to prepare timely, accurate\nfinancial statements or reports.\xe2\x80\x9d Material weaknesses are reported outside the agency and thus receive additional\noversight.\n                                                                                                         Page 12\n\x0c                                  The Internal Revenue Service Deployed\n                               Two of Its Most Important Modernized Systems\n                                    With Known Security Vulnerabilities\n\n\n\n7) monitoring of key networks and systems; 8) security training; and 9) certification and\naccreditation. While the IRS is working toward closing these areas, we believe that the existence\nof the computer security material weakness needs to be considered when making decisions on\nsystem deployments.\nWe also believe that the IRS goal to certify and accredit all of its systems adversely affected the\nagency\xe2\x80\x99s ability to objectively evaluate the security posture of its systems, especially for the\nCADE and the AMS. NIST Special Publication 800-3724 specifically states that systems with\ninterim authorities to operate cannot be considered accredited. As a result, the existence of\nsystems with interim authorities to operate might affect the agency in the following ways:\n     \xc2\xbe The E-Government section in the President\xe2\x80\x99s Management Agenda initiative pertains to\n       the certification and accreditation of systems. Using the color-coded rating to determine\n       success levels, the President\xe2\x80\x99s Management Agenda allows an agency to achieve the\n       optimum \xe2\x80\x9cgreen\xe2\x80\x9d status only if the agency maintained 100 percent of its systems as\n       certified and accredited.\n     \xc2\xbe The Federal Information Security Management Act25 includes an evaluative section on\n       the agency\xe2\x80\x99s number of systems that have been certified and accredited. This percentage\n       affects the agency\xe2\x80\x99s overall grade.\n     \xc2\xbe The Office of Management and Budget requires completion of the Exhibit 30026 to\n       comply with the Clinger-Cohen Act of 1996.27 Any operational system that has not been\n       certified and accredited might not have its proposed budget approved for funding by the\n       Office of Management and Budget.\n\nRecommendations\nRecommendation 1: The Director, Business Modernization Office, and the Director,\nCustomer Service, serving as the Co-Chairs of the Customer Service Executive Steering\nCommittee, should consider all security vulnerabilities\xe2\x80\x93including those associated with general\nsupport systems\xe2\x80\x93that affect the overall security of the CADE and the AMS before approving\nmilestone exits. Equal emphasis should be placed on security and functionality.\n\n\n\n24\n   Guide for the Security Certification and Accreditation of Federal Information Systems, published May 2004.\n25\n   Pub. L. No. 107-347, Title III, 116 Stat. 2946 (2002).\n26\n   The Exhibit 300 is a detailed budget justification that information technology system owners must complete and\nsubmit annually to the Office of Management and Budget.\n27\n   (Federal Acquisition Reform Act of 1996) (Information Technology Management Reform Act of 1996),\nPub. L. No. 104-106, 110 Stat. 642 (codified in scattered sections of 5 U.S.C., 5 U.S.C. app., 10 U.S.C., 15 U.S.C.,\n16 U.S.C., 18 U.S.C., 22 U.S.C., 28 U.S.C., 29 U.S.C., 31 U.S.C., 38 U.S.C., 40 U.S.C., 41 U.S.C., 42 U.S.C.,\n44 U.S.C., 49 U.S.C., 50 U.S.C.).\n                                                                                                            Page 13\n\x0c                             The Internal Revenue Service Deployed\n                          Two of Its Most Important Modernized Systems\n                               With Known Security Vulnerabilities\n\n\n\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. It will\n       continue to follow the governance process documented in the Customer Service\n       Executive Steering Committee charter and consider all security vulnerabilities to ensure\n       that best practices are in place for the successful delivery of project security and\n       functionality.\nRecommendation 2: The CADE and AMS Project Managers should provide more emphasis\non both preventing and resolving security vulnerabilities identified during Enterprise Life Cycle\nprocesses.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. It will\n       continue to follow the existing Enterprise Life Cycle processes for identifying,\n       confirming, and resolving security vulnerabilities at the requirements, design,\n       development, and testing life cycle stages, with an increased emphasis on both preventing\n       and resolving security vulnerabilities identified during the Enterprise Life Cycle\n       processes. The IRS will also strengthen its process for capturing and documenting all\n       Executive Steering Committee meeting minutes.\nRecommendation 3: The Wage and Investment Division Directors of the CADE and the\nAMS, in their roles as system owners, should approve interim authorities to operate when\nsignificant security control weaknesses exist in system environments. These interim authorities\nto operate should contain specific terms and conditions in accordance with IRS policy, including\ncorrective actions to be taken by the information system owners and a required time period for\ncompletion of the corrective actions, before authorities to operate are granted.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. It will\n       continue to follow existing policy to issue interim authorities to operate with appropriate\n       timelines when significant control weaknesses exist in system environments.\nRecommendation 4: The Associate Chief Information Officer, Cybersecurity, should\nrecommend interim authorities to operate when significant security vulnerabilities exist in\nsystem environments.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The\n       Cybersecurity organization has been recommending interim authorities to operate when\n       significant security vulnerabilities exist in system environments as a standard part of the\n       IRS certification and accreditation process.\nRecommendation 5: The Associate Chief Information Officer, Cybersecurity, should\ncontinue efforts to improve the accuracy and completeness of risk information in the security\nassessment reports by listing the general support system controls that are not yet implemented in\nthe system environment and documenting concurrence by the Security Engineering Office and\nthe Office of Privacy when reporting that vulnerabilities identified during milestone reviews\nhave been corrected.\n\n                                                                                           Page 14\n\x0c                     The Internal Revenue Service Deployed\n                  Two of Its Most Important Modernized Systems\n                       With Known Security Vulnerabilities\n\n\n\nManagement\xe2\x80\x99s Response: The IRS agreed with this recommendation. The\nCybersecurity organization has modified the certification and accreditation process to\ninclude documented concurrence by the Security Engineering Office and/or the Office of\nPrivacy when reporting in security assessment reports that vulnerabilities identified\nduring milestone reviews have been corrected. The Cybersecurity organization will\nupdate its standard operating procedures to incorporate these process changes and will\ncontinue to strengthen the process by including the relevant general support system Plan\nof Action and Milestones as an attachment to each application security assessment report.\nOffice of Audit Comment: Although the IRS agreed with all of our\nrecommendations, the related corrective actions for the first four recommendations are\nfocused on continuing to follow existing processes or strengthening current processes.\nAs stated in the report, we believe that the existing security vulnerabilities were not\ncaused by process deficiencies. Instead, IRS offices did not carry out their\nresponsibilities for ensuring that security weaknesses were corrected before deployment.\n\n\n\n\n                                                                                 Page 15\n\x0c                                 The Internal Revenue Service Deployed\n                              Two of Its Most Important Modernized Systems\n                                   With Known Security Vulnerabilities\n\n\n\n                                                                                                Appendix I\n\n         Detailed Objective, Scope, and Methodology\n\nThe overall objective of the review was to determine whether appropriate security controls have\nbeen implemented in the CADE and the AMS systems.1 To accomplish our objective, we:\nI.      Determined whether appropriate security controls had been considered and included in\n        the CADE and the AMS.\n        A. Reviewed the security categorization criteria prescribed by Federal Information\n           Processing Standards Publication 1992 and NIST Special Publication 800-603 and\n           determined whether the security categorizations the IRS assigned to the CADE and\n           the AMS were documented and supported.\n        B. Compared the minimum security controls in NIST Special Publication 800-534 to the\n           security controls listed in the system security plans for CADE Releases 2.2 and 3.1\n           and AMS Release 1.1 and determined whether all minimum security controls were\n           included.\n        C. Determined whether security controls were integrated early enough in CADE\n           Releases 2.2 and 3.1 and AMS Release 1.1 system development life cycles to be cost\n           effective.\nII.     Determined whether the security controls were fully tested as prescribed in NIST Special\n        Publication 800-375 by an independent test team.\nIII.    Determined whether the security assessment reports were prepared in accordance with\n        NIST Special Publication 800-37.\nIV.     Obtained supporting documentation for closed recommendations in two prior Treasury\n        Inspector General for Tax Administration reports6 and determined whether corrective\n        actions were completed and effective.\n\n1\n  The CADE will provide the foundation for managing all taxpayer accounts and will replace existing tax processing\nsystems. The AMS will provide faster and improved access by employees to taxpayer account data.\n2\n  Standards for Security Categorization of Federal Information and Information Systems, published February 2004.\n3\n  Guide for Mapping Types of Information and Information Systems to Security Categories, Volume 1, published\nJune 2004.\n4\n  Recommended Security Controls for Federal Information Systems, Revision 1, published December 2006.\n5\n  Guide for the Security Certification and Accreditation of Federal Information Systems, published May 2004.\n6\n  Security Controls Were Not Adequately Considered in the Development and Integration Phases of Modernization\nSystems (Reference Number 2005-20-128, dated August 2005) and Improvements Are Needed to Ensure the Use of\nModernization Applications Is Effectively Audited (Reference Number 2006-20-177, dated September 29, 2006).\n                                                                                                         Page 16\n\x0c                            The Internal Revenue Service Deployed\n                         Two of Its Most Important Modernized Systems\n                              With Known Security Vulnerabilities\n\n\n\n                                                                               Appendix II\n\n                 Major Contributors to This Report\n\nMargaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs)\nPreston B. Benoit, Acting Assistant Inspector General for Audit (Information Systems Programs)\nSteve Mullins, Director\nKent Sagara, Audit Manager\nJody Kitazono, Lead Auditor\nAlan Beber, Senior Auditor\nBret Hunter, Senior Auditor\nLouis Lee, Senior Auditor\nMidori Ohno, Senior Auditor\nJoan Raniolo, Senior Auditor\n\n\n\n\n                                                                                      Page 17\n\x0c                           The Internal Revenue Service Deployed\n                        Two of Its Most Important Modernized Systems\n                             With Known Security Vulnerabilities\n\n\n\n                                                                 Appendix III\n\n                         Report Distribution List\n\nCommissioner C\nOffice of the Commissioner \xe2\x80\x93 Attn: Chief of Staff C\nChief Information Officer OS:CIO\nDeputy Commissioner, Wage and Investment Division SE:W\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Management Controls OS:CFO:CPIC:IC\nAudit Liaisons:\n       Commissioner, Wage and Investment Division SE:W\n       Chief Information Officer OS:CIO\n\n\n\n\n                                                                       Page 18\n\x0c            The Internal Revenue Service Deployed\n         Two of Its Most Important Modernized Systems\n              With Known Security Vulnerabilities\n\n\n\n                                                 Appendix IV\n\nManagement\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n                                                        Page 19\n\x0c   The Internal Revenue Service Deployed\nTwo of Its Most Important Modernized Systems\n     With Known Security Vulnerabilities\n\n\n\n\n                                               Page 20\n\x0c   The Internal Revenue Service Deployed\nTwo of Its Most Important Modernized Systems\n     With Known Security Vulnerabilities\n\n\n\n\n                                               Page 21\n\x0c   The Internal Revenue Service Deployed\nTwo of Its Most Important Modernized Systems\n     With Known Security Vulnerabilities\n\n\n\n\n                                               Page 22\n\x0c'